Академический Документы
Профессиональный Документы
Культура Документы
Make sure that the tunnels work before you apply the crypto maps.
Apply IPSec crypto maps to both the tunnel interface and the physical interface
Network Diagram
This document uses the network setup shown in the following illustration:
Following are the callout terms and definitions for the diagram, identified by
number:
1. Headquarters location
8. Branch 1 location
9. Branch 2 location
The Headquarters location (callout 1) uses a Cisco 3845 router with these
characteristics:
EzVPN server
ATM access to the Internet
Operating in a Cisco CallManager cluster
Public IP address: 10.32.152.26
Private IP address pool: 192.168.1.0/24
The Branch 1 location (callout 8) uses a Cisco 1841 router with these
characteristics:
Building configuration...
Current configuration : 6824 bytes
!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname EzVPN-Hub
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$t8oN$hXnGodPh8ZM/ka6k/9aO51
!
username admin secret 5 $1$cfjP$kKpB7e3pfKXfpK0RIqX/E.
username ezvpn-spoke2 secret 5 $1$vrSS$AhSPxEUnPOsSpJkGdzjXg/
username ezvpn-spoke1 secret 5 $1$VK0p$4D0YXNOtC6K7MR4/vinUL.
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
aaa new-model
!
!
aaa authentication login USER_AAA local
aaa authentication login USERLIST local
aaa authorization network GROUP_AAA local
aaa session-id common
ip subnet-zero
!
ip cef
no ip domain lookup
ip domain name cisco.com
ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
voice-card 0
no dspfarm
!
!--- IKE configuration
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp keepalive 90 12
!
ip access-list extended SPLIT_T
permit ip 192.168.0.0 0.0.255.255 any
!
crypto isakmp client configuration group VPN1
acl SPLIT_T
ip access-list extended SPLIT_T
permit ip 192.168.0.0 0.0.255.255 any
key cisco123
dns 192.168.168.183 192.168.226.120
wins 192.168.179.89 192.168.2.87
domain cisco.com
pool VPN-POOL
save-password
!
!--- IPSec configuration
!
crypto ipsec transform-set TRANSFORM-1 esp-3des esp-md5-hmac
!
crypto dynamic-map INT_MAP 1
set security-association lifetime kilobytes 530000000
set security-association lifetime seconds 14400
set transform-set TRANSFORM-1
!
!
crypto map INT_MAP client authentication list USER_AAA
crypto map INT_MAP isakmp authorization list GROUP_AAA
crypto map INT_MAP client configuration address respond
crypto map INT_MAP 30000 ipsec-isakmp dynamic INT_MAP
!
!
!
interface GigabitEthernet0/0
no ip address
shutdown
duplex auto
speed auto
media-type rj45
no negotiation auto
!
interface GigabitEthernet0/1
no ip address
shutdown
duplex auto
speed auto
media-type rj45
no negotiation auto
!
interface ATM0/0/0
description === public interface ===
ip address 10.32.152.26 255.255.255.252
ip pim sparse-dense-mode
ip ospf network point-to-point
no atm ilmi-keepalive
pvc 10/100
protocol ip 10.32.152.25 broadcast
!
crypto map INT_MAP
!
interface FastEthernet4/0
no ip address
shutdown
!
interface FastEthernet4/1
switchport access vlan 10
no ip address
!
interface FastEthernet4/2
switchport access vlan 10
no ip address
!
interface FastEthernet4/3
switchport access vlan 10
no ip address
!
interface FastEthernet4/4
switchport access vlan 10
no ip address
!
interface FastEthernet4/5
switchport access vlan 10
no ip address
!
interface FastEthernet4/6
switchport access vlan 10
no ip address
!
interface FastEthernet4/7
switchport access vlan 10
no ip address
!
interface FastEthernet4/8
switchport access vlan 10
no ip address
!
interface FastEthernet4/9
switchport access vlan 10
no ip address
!
interface FastEthernet4/10
switchport access vlan 10
no ip address
!
interface FastEthernet4/11
switchport access vlan 10
no ip address
!
interface FastEthernet4/12
switchport access vlan 10
no ip address
!
interface FastEthernet4/13
switchport access vlan 10
no ip address
!
interface FastEthernet4/14
switchport access vlan 10
no ip address
!
interface FastEthernet4/15
switchport access vlan 10
no ip address
!
!-- Entries for FastEthernet 4/16 through 4/35 omitted for redundancy
!
interface GigabitEthernet4/0
no ip address
shutdown
!
interface GigabitEthernet4/1
no ip address
shutdown
!
interface Vlan1
no ip address
!
interface Vlan10
ip address 192.168.1.1 255.255.255.0
!
!
ip local pool VPN-POOL 10.1.1.1 10.1.1.10
ip classless
ip route 0.0.0.0 0.0.0.0 10.32.152.25
!
ip http server
no ip http secure-server
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
login authentication USERLIST
!
!
end
!
Branch 1 Router Configuration (Cisco 1841 Router)
EzVPN-Spoke-1# show running-config
Building configuration...
.
.
Current configuration : 4252 bytes
!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname EzVPN-Spoke-1
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 informational
enable secret 5 $1$b7.Q$Y2x1UXyRifSStbkH/YyrP.
!
username admin password 7 0519030B234D5C0617
memory-size iomem 20
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
aaa new-model
!
!
aaa authentication login USERLIST local
aaa session-id common
ip subnet-zero
ip cef
!
!
ip dhcp excluded-address 192.168.2.1
!
ip dhcp pool PRIVATE_DHCP
import all
network 192.168.2.0 255.255.255.0
default-router 192.168.2.1
!
!
no ip domain lookup
ip domain name cisco.com
ip sap cache-timeout 30
ip ssh time-out 30
ip ids po max-events 100
no ftp-server write-enable
!
!--- IPSec configuration
!
crypto ipsec client ezvpn VPN1
connect auto
group VPN1 key cisco123
mode client
peer 10.32.152.26
username ezvpn-spoke1 password cisco1
!
interface FastEthernet0/0
description === private interface ===
ip address 192.168.2.1 255.255.255.0
duplex auto
speed auto
crypto ipsec client ezvpn VPN1 inside
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface ATM0/1/0
no ip address
no atm ilmi-keepalive
dsl equipment-type CPE
dsl operating-mode GSHDSL symmetric annex A
dsl linerate AUTO
pvc 0/35
encapsulation aal5snap
!
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface Dialer0
description === public interface ===
ip address 10.32.152.46 255.255.255.252
ip pim sparse-dense-mode
encapsulation ppp
dialer pool 1
dialer-group 1
crypto ipsec client ezvpn VPN1
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.32.152.45
!
ip http server
no ip http secure-server
!
control-plane
!
line con 0
line aux 0
line vty 0 4
login authentication USERLIST
!
!
end
Branch 2 Router Configuration (Cisco 2811 Router)
EzVPN-Spoke-2# show running-config
Building configuration...
.
Current configuration : 4068 bytes
!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname EzVPN-Spoke-2
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$9BB/$KP4mHUWzUxzpuEPg5s7ow/
!
username admin password 7 10481A110C07
memory-size iomem 25
aaa new-model
!
!
aaa authentication login USERLIST local
aaa session-id common
ip subnet-zero
!
!
ip cef
ip dhcp excluded-address 192.168.3.1
!
ip dhcp pool PRIVATE_DHCP
import all
network 192.168.3.0 255.255.255.0
default-router 192.168.3.1
!
!
no ip domain lookup
ip multicast-routing
ip ids po max-events 100
!
no ftp-server write-enable
voice-card 0
no dspfarm
!
!--- IPSec configuration
!
crypto ipsec client ezvpn VPN1
connect auto
group VPN1 key cisco123
mode network-extension
peer 10.32.152.26
username ezvpn-spoke2 password cisco2
!
interface FastEthernet0/0
description === private interface ===
ip address 192.168.3.1 255.255.255.0
duplex auto
speed auto
crypto ipsec client ezvpn VPN1 inside
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
shutdown
!
interface Serial0/0/0
description === public interface ===
ip address 10.32.150.46 255.255.255.252
crypto ipsec client ezvpn VPN1
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.32.150.45
!
ip http server
no ip http secure-server
!
control-plane
!
dial-peer cor custom
!
line con 0
exec-timeout 0 0
line aux 0
line vty 0 4
login authentication USERLIST
!
end
Verify
This section provides instructions for verifying that your configuration works
properly.
Certain show commands are supported by the Output Interpreter Tool (registered
customers only), which allows you to view an analysis of show command output. In
summary:
show crypto engine connections active�Shows the encrypted and decrypted packets.
show crypto ipsec sa�Shows the phase 2 IPSec security associations for the hub.
show crypto ipsec client ezvpn�Shows the phase 2 IPSec security associations for
the EzVPN client.
show crypto isakmp sa�Shows the phase 1 ISAKMP security associations.
One of the first indications of successful IPSec negotiation is a message displayed
on the Virtual Private Network (VPN) concentrator console. Upon successful IPSec
negotiation by the EzVPN clients, a message similar to the following is displayed
on the VPN concentrator console, indicating the establishment of crypto connections
to the remote EzVPN clients.
EzVPN-Hub#
The following examples show sample output for the show crypto ipsec sa and show
crypto ipsec client ezvpn commands.
The following is sample output from the show crypto ipsec sa command, performed
using the configuration on the EzVPN Hub location:
interface: ATM0/0/0
Crypto map tag: INT_MAP, local addr. 10.32.152.26
protected vrf:
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (10.1.1.3/255.255.255.255/0/0)
current_peer: 10.32.152.46:500
PERMIT, flags={}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
inbound ah sas:
outbound ah sas:
protected vrf:
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)
current_peer: 10.32.150.46:500
PERMIT, flags={}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
inbound ah sas:
outbound ah sas:
The following is sample output from the show crypto ipsec client ezvpn command,
performed using the configuration on the EzVPN Spoke 1 location:
The following is sample output from the show crypto ipsec client ezvpn command,
performed using the configuration on the EzVPN Spoke 2 location:
Troubleshoot
This section provides information for troubleshooting your configuration.
Note Before issuing debug commands, please see Important Information on Debug
Commands.
The following debug commands must be running on both IPSec routers (peers).
Security associations must be cleared on both peers.